Defending Azure Active Directory: Pass-Through Authentication Attacks and Countermeasures
Syynimaa, Nestori (2023)
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2023091825938
https://urn.fi/URN:NBN:fi:amk-2023091825938
Tiivistelmä
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management system used by 90 per cent of Fortune 500 organisations. Pass-through Authentication (PTA) is one of the hybrid authentication methods supported by Azure AD. It is based on an agent installed on an on-premises server, communicating with Azure AD to respond to authentication requests.
Secureworks Taegis XDR is a cloud-native security platform that uses automation to prevent, detect, and respond to advanced threats. The research aimed to implement countermeasures against PTA-related attacks on Taegis XDR. This aim was divided into three concrete objectives: study PTA details, find possible vulnerabilities and exploitation techniques, and research how to detect and respond to exploitations.
Vulnerabilities enabling novel PTA-related attacks allowing threat actors to gain remote, persistent, and undetectable access to target organisation Azure AD were found. However, countermeasures could not be implemented due to lack of available detection and remediation mechanisms of Azure AD.
The main output of the research is three artefacts: PTA Attack Graph, exploit automation solution and PTAAgentDump tool. The first artefact summarises the current knowledge of PTA-related attacks, and the second artefact automates PTA-attack simulation. The main contribution, the PTAAgentDump tool, allows administrators to identify ongoing remote PTA-related attacks, which can't be done with Microsoft tools.
Secureworks Taegis XDR is a cloud-native security platform that uses automation to prevent, detect, and respond to advanced threats. The research aimed to implement countermeasures against PTA-related attacks on Taegis XDR. This aim was divided into three concrete objectives: study PTA details, find possible vulnerabilities and exploitation techniques, and research how to detect and respond to exploitations.
Vulnerabilities enabling novel PTA-related attacks allowing threat actors to gain remote, persistent, and undetectable access to target organisation Azure AD were found. However, countermeasures could not be implemented due to lack of available detection and remediation mechanisms of Azure AD.
The main output of the research is three artefacts: PTA Attack Graph, exploit automation solution and PTAAgentDump tool. The first artefact summarises the current knowledge of PTA-related attacks, and the second artefact automates PTA-attack simulation. The main contribution, the PTAAgentDump tool, allows administrators to identify ongoing remote PTA-related attacks, which can't be done with Microsoft tools.